Functional security, part 7 of 7. Methods for ensuring information and functional security


    Source

    In conclusion of a series of publications on functional safety , in today's article we will consider what organizational and technical methods are used to ensure functional safety.

    Most of the methods can be applied, inter alia, to ensure information security within the framework of the concept of integral safety (safety & security) of modern control systems.

    The set of analyzed methods is based on the requirements of IEC 61508 "Functional safety of electrical, electronic, programmable electronic safety related systems"(IEC 61508 Functional safety of electrical / electronic / programmable electronic safety-related systems). Regarding the specifics of ensuring information security of industrial control systems, NIST SP 800-82 “Guide to Industrial Control Systems (ICS) Security” , considered in one of the previous articles, is taken as a basis .

    IEC 61508: Methods and means of ensuring functional safety


    When performing certification for compliance with the requirements of IEC 61508 to one or another SIL (Safety Integrity Level), it is important to demonstrate that, firstly, the product contains the necessary and sufficient mechanism for ensuring functional safety (FB), and secondly, that the necessary and sufficient set of methods for ensuring the FB was used in the development process. Proceeding from this, we conditionally divide the methods of providing FB into technical and organizational.

    Methods of providing FB are aimed at protecting against accidental hardware failures caused by physical aging of elements, as well as protecting against systematic failures caused by imperfect design processes. Since in the modern world FB is inconceivable to consider in isolation from information security (IS), the methods for ensuring FB also, for the most part, provide protection against cyber attacks.

    At the same time, most methods are complex, that is, the same method is more or less aimed at protecting against accidental and systematic failures.

    A description of the methods for providing FB is contained in IEC 61508-7, Methods and Means . However, to understand the requirements for the application of a particular method, part 7 alone is not enough.
    ATpart 2 of IEC 61508 , which is dedicated to providing FB systems and hardware, and part 3 , which contains software requirements, there are three significant applications that define methods and tools for protection against accidental and systematic failures. The structure of IEC 61508 is such that the methods and means are described in detail in part 7. Thus, the requirements for protection against failures from parts 2 and 3 of IEC 61508 are traced in the description of methods and means for ensuring the FB in part 7. This relationship is shown in Figure 1.



    Figure 1. Structure of safety methods according to IEC 61508

    Annex A of part 2 of IEC 61508 addresses the monitoring of hardware failures during operation, and it is understood that these can be either random or systematic failures. A detailed description of protection against accidental failures is given in Annex A of part 7 of IEC 61508. Methods of protection against accidental failures are divided into categories, depending on the type of hardware under consideration, for example, electrical components, electronic components, processor modules, memory, etc.

    Annex In part 2, IEC 61508 discusses methods of protection against systematic hardware failures throughout the life cycle. It should be noted that IEC 61508 considers design errors, operation errors and external extreme influences (climatic, mechanical, radiation and others) as sources of systematic hardware failures. A detailed description of the relevant methods is contained in the Appendix in part 7 of IEC 61508. The structure of the presentation of methods of protection against systematic hardware failures has its own characteristics, for example, the B.1 General measures and techniques category includes such different methods as Project Management, Documentation, Separation, Diversity. Further, the methods are distributed over the stages of the life cycle.

    Annex A of part 3 of IEC 61508 provides guidance on the selection of software development and testing methods to achieve complete safety. A detailed description of the relevant methods is contained in Annex C of Part 7 of IEC 61508. Here, in Category C.1 General, no methods are described at all. Further, the methods are divided into categories: requirements and detailed design, architectural design, tools and programming languages, verification and modification, evaluation of FB.

    To illustrate the foregoing in IEC 61508, consider the simplest table that defines the methods used to ensure the functional safety of software at the stage of developing the specification of requirements (see Figure 2).



    Figure 2. IEC 61508-7, Table A.1 - Software safety requirements specification

    Let's say we are interested in SIL3 security integrity level. Those methods that are indicated in the column "SIL3" as HR (Highly Recommended) must be applied. In any case, it will be practically impossible for the certification body to explain why one or another necessarily recommended method was not used. Methods designated as R (Recommended) can be used, however, they can also be reasonably discarded. With Table A1 (SIL3) everything is quite simple here. The use of formal methods is recommended, however, the priority of using semi-formal methods is higher (Highly Recommended). Therefore, if semi-formal methods are used, then formal ones can be abandoned. The use of forward and reverse tracing is also mandatory (it has already been said about tracing requirements in previous publications) The use of trace support and specification development software is obvious.

    As we have already said, it is advisable to divide security methods into organizational and technical ones. We now consider these two groups.

    Organizational methods for ensuring information and functional security


    In fact, organizational measures have already been considered in previous publications in this series. These include FB management, project management, life cycle management, development and testing methods. Let us make a short summary of these methods according to the structure of IEC 61508. All these methods can be equally applied to both functional and information security.

    Project management


    The application of project management methods allows us to ensure the required level of security, that is, to stay in the so-called “quality triangle”. The “Project Management Body of Knowledge” or PMBOK contains recommendations on the implementation of processes at all stages of the project life cycle.

    Documentation


    Documentation and documentation management is an important method to capture all the technical and organizational decisions to develop a product that is important for security. Particular attention is paid to documenting changes made to products and processes. Documentation should be carried out throughout the life cycle.

    Life cycle of IB and FB


    The implementation of the life cycle of information security and financial security is a requirement that has already been discussed in detail in previous publications. IEC 61508 places particular emphasis on such aspects as:

    - a structured system and software development process ;
    - implementation of the verification and validation process, consisting in the phased implementation of reviews, analysis and testing;
    - product support after release, taking into account feedback on the results of operation.

    Using best practices and coding standards


    IEC 61508 requires the implementation of the safe use of programming languages, which involves the use of strongly typed languages ​​and support for structural programming, and it is recommended that a limited set of language constructs be used. For example, for microcontrollers of security systems, the preference is given to the C language, rather than C ++. Appropriate standards, such as MISRA , are used to define coding rules and prohibited designs .

    Coding standards and best practices define a set of coding conventions that are used in software development as code requirements. Such agreements include naming and commenting rules, indentation and code rules, complexity restrictions, etc.

    A common practice is the so-called defensive programming, when, when a critical problem occurs, the software shuts down in a predetermined manner, i.e. puts the system in a safe state.

    Using Certified Compilers and Libraries


    When developing software important to security, it must be ensured that the compiler converts the source code into an executable in a predictable and deterministic manner. For this, certified compilers and code translators are used, as well as certified libraries of software components. In the past few years, leading manufacturers of microprocessors and FPGAs have released versions of compilers and related libraries that have been certified and, accordingly, can be used to develop security software. Current trends in electronics engineering are leading to an ever greater integration of software and hardware design of programmable components, so the role and impact on the security of development tools will increase.

    Quality control in hardware manufacturing


    In the manufacture of hardware, special attention is paid to the quality of printed circuit boards with electronic components installed on them. Quality control consists of such components as:

    - development and verification of a hardware project;
    - quality management of purchased materials and components;
    - Production Management;
    - quality inspection at the production site;
    - testing of released hardware.

    Using formal and semi-formal notations


    Another organizational method required by IEC 61508 is the use of formal and semi-formal notations to develop requirements specifications and system designs, as well as software and hardware components. Currently, the most common semi-formal notations for designing programmable systems are IDEF and UML .
    For programmable logic controllers, typical programming languages ​​supported by most development environments are developed and described in IEC 61131-3 . The most common is the graphic language FBD (Function Block Diagram) , which is actually a formal notation for software design.

    Technical methods for providing FB


    Let's start by reviewing the architecture of process control systems (see Figure 3). The system includes:

    - power supply components;
    - field equipment (sensors and actuators);
    - programmable logic controllers, including input and output modules and control modules;
    - network equipment, servers and components of the human-machine interface.



    Figure 3. Typical architecture of process control systems (source: ISA / IEC 62443)

    Reservation


    Now we will consider how redundancy can be implemented for process control systems.
    Redundancy can be implemented both for individual components or their groups, and for the system as a whole. This is exactly the case that is being brought to your attention (see Figure 4).



    Figure 4. Duplication of ICS components

    Let's start with the power supply. Ideally, maximum independence is ensured when the independent channels of the system are powered by independent sources. The diagram shows that the first channel is powered by an alternating current source, and the second channel is supplied by direct current. Then, in case of power problems in one of the power supply systems, only one of the channels will be de-energized. Ensuring continuity and quality of power supply even in extreme conditions is a vital aspect of ensuring the safety of control systems.

    Redundant sensors, controllers, and actuators may be used. Between channels, information exchange protocols can be organized (they are indicated in green on the diagram), or maximum independence between channels can be realized, and then there will be no exchange.

    In addition, a duplicated network architecture and a duplicated human-machine interface with duplicated computing components and data warehouses can be implemented.

    Variety (sabotage) when reserving


    Divercity is a type of redundancy when the same function in redundant channels is performed in different ways, for example, using different equipment or different software.

    Normal redundancy does not protect against systematic failures caused by design errors. Therefore, if the system versions are designed differently, the number of general systematic channel failures (the so-called failures for a common reason) will decrease (in any case, theoretically decrease). This is taken into account using the so-called фактора-factor, which shows the ratio of the number of failures (or failure rate) for a common reason to the total number of failures (or failure rate).The β- factor depends on the diversion strategy used. The greater the difference between the channels, the lower the valueβ factor (see Figure 5).



    Figure 5. Reducing the number of failures due to a common reason when using different (sabotage) duplicated channels (source: IEC 61508)

    Of course, the use of sabotage is an extremely expensive method that increases the cost of the system many times, but in some industries with high risks, for example, in the nuclear energy, it is reasonable and required by standards.

    Independence and separation of components


    Another method that complements redundancy is the principle of independence and separation of components, aimed at preventing the spread of failures between systems and their components. Separation can be physical when, for example, the channels of the system are physically located in different rooms or at a considerable distance from each other (see Figure 6). Electrical separation is also used, including, for example, galvanic isolation, as well as functional and communication independence, for example, cable shielding and separation of electrical and signal cables.




    Figure 6. Physical and electrical independence of channels (source: IEC 60709)

    Self diagnosis


    The self-diagnosis of digital devices can be simplistically described as follows (see Figure 7).



    Figure 7. Implementation of diagnostics in control systems

    Along with the basic digital control algorithms, in parallel with the system is the processing of diagnostic data and a watchdog. All these three processes are performed independently of each other, independent clock sources, different microcircuits, etc. can be used.

    Watchdog controls the simplest response from the chips that process the data, and when a problem is detected (the response stops), it turns off the power and puts the system in a safe state. In addition, the watchdog can monitor the power level and issue a similar shutdown command in case of a dangerous deviation of the power from the set level. The safe state for safety systems, as a rule, is to remove power from the output analog and digital outputs. If necessary, the security system can supply power to the actuators, but then additional signal converters are required at the output.

    If the self-diagnosis has detected a critical problem (for example, hardware nodes failure, hardware or software configuration violation, data transfer violation, etc.), then a command is issued to put the system in a safe state, which is executed as if the command came from main control logic.

    Now let’s summarize what typical functions should be performed by the self-diagnosis of digital devices. The functions of watchdogs and power control have just been reviewed.

    An important diagnostic function is to control the configuration of software and hardware. This property also affects information security. During operation, each hardware module periodically transmits information about its serial number and the configuration of the downloaded software (for example, a check sum). In the event of a configuration violation, the system performs the specified protective actions, up to the transition to a safe state and power off.

    Another option for performing freeze control is internal or external timers that control the execution time of individual control logic modules. Tasks can be restarted several times; in case of several unsuccessful restarts, a decision can also be made to switch to a safe state.

    An important function of control systems is to ensure the accuracy of measuring input and output analog signals. To diagnose the accuracy of measurements, redundant ADCs and DACs can be used, which compare the results of processing and give a diagnostic message about the coincidence or mismatch of the results.

    Much attention in control systems is paid to the transmission of data packets, both through communication channels and during processing, distributed between the components of software and hardware. Here, for diagnosis, methods such as transmission confirmation, timeout control, integrity and sequence control of data packet transmission, and cyclic codes (CRC) are used. Encryption algorithms can be used to protect information during data transmission.

    Environmental protection


    Another group of safety methods is aimed at protecting against adverse effects. The method of independence and separation has already been considered by us.

    To ensure the functioning of control systems, ventilation and air conditioning are used, designs that are resistant to vibration and other mechanical influences are designed, fire extinguishing systems and non-combustible materials, materials and coatings that are resistant to chemical and radiation influences are used.

    Serious attention is being paid to ensuring electromagnetic compatibility. For this, filtering and suppression of electromagnetic interference of various kinds, both external and intrinsic, is carried out to limit exposure to other equipment.

    Special ATEX Standardsused for the construction of explosion-proof systems. IP standards are used to design dust and moisture proof systems.

    Protection against personnel errors


    Personnel operating control systems can both reduce and increase risks. Many technological accidents were caused by the human factor. At the same time, there are many cases where professional actions have avoided disasters and loss of life. Therefore, the development of a human-machine interface, taking into account the requirements of ergonomics and protection against operator errors, is also an important area of ​​safety.

    Features of ensuring information security of
    automated process control systems


    When considering methods aimed at providing FB, it is also important to provide IS. IEC 61508 contains only a few general words on this subject. We will dwell on several features of industrial control systems that determine the approach to providing information security for such facilities. In Figure 8, potential vulnerabilities are considered, based on which attack vectors are formed.



    Figure 8. Vulnerabilities in automatic process control systems (source: Byres Research Inc.)

    Such vulnerabilities are: network perimeter, remote connections, firewalls, purchased equipment, removable storage media (primarily using USB ports), as well as controller software and communication lines.

    Network segmentation


    The basis for providing information security for automated process control systems is network segmentation and zoning of equipment placement (this topic was discussed here ).

    It is recommended to implement at least one demilitarized zone (DMZ) in the automated process control system, separating corporate and managing local networks.



    Figure 9. Network structure of industrial control system with DMZ (source: NIST 800-82)

    Access control


    Another feature of providing IS ACS TP is the active use of access control, which can be implemented in several ways.

    Cabinets with equipment are equipped with locks and contact sensors for opening doors that issue signals on the alarm display.

    Monitoring and saving a large amount of diagnostic data, including information related to information security, provides broad analytical capabilities.

    Since communication lines are vulnerable components, access to them is also controlled, both at the physical and logical levels. The use of communication lines and ports should be reasonably limited. Security systems require the use of only unidirectional communications using proprietary protocols that differ from the widespread industrial protocols.

    To change the settings of the software and the software itself, as well as to change the configuration of the hardware, special authorization must be performed.

    findings


    Methods and tools to ensure the safety of control systems should ensure that risks are reduced below specified levels, both for information and for the functional component of security. These methods include two groups: organizational and technical.

    Organizational methods include: project management, documentation, implementation of the IS and FB life cycle, the use of advanced programming methods and standards, the use of certified translators, compilers and code libraries, quality control in the production of hardware components, the use of formal and semi-formal notations for the development of specifications and design.

    Technical methods include: redundancy, separation and independence, sabotage or diversity, protection against internal and external dangers, human-machine interface engineering, as well as various types of self-diagnosis.

    Special attack prevention techniques for control systems include access control and network segmentation.

    PS This article completes a series of publications on the topic of functional safety, which I have been working on for several months. Thanks to all readers, especially those who helped to finalize the material with their caring comments. In parallel with the publications, a video course on functional safety was prepared and recorded .(has no analogues in the world). The main provisions of the publications and the video course are devoted to approaches to certification of control systems for compliance with the requirements of IEC 61508. The topic of security remains inexhaustible, and, therefore, there will be new publications.

    And here is a complete list of articles:

    - Introduction to the topic of functional safety ;
    - IEC 61508 standard: terminology ;
    - IEC 61508 standard: requirements structure ;
    - The relationship between information and functional safety of industrial control systems ;
    - Processes of management and assessment of functional safety ;
    - The life cycle of information and functional security;
    - Theory of reliability and functional safety: basic terms and indicators ;
    - Methods for ensuring functional safety .

    Also popular now: